[wp-meta] [Making WordPress.org] #3192: Provide an API endpoint to fetch plugin checksums

Making WordPress.org noreply at wordpress.org
Sat Oct 21 13:11:35 UTC 2017

#3192: Provide an API endpoint to fetch plugin checksums
 Reporter:  schlessera        |       Owner:  dd32
     Type:  enhancement       |      Status:  accepted
 Priority:  normal            |   Milestone:
Component:  Plugin Directory  |  Resolution:
 Keywords:                    |

Comment (by dd32):

 Replying to [comment:6 schlessera]:
 > Some observations on
 [https://meta.trac.wordpress.org/ticket/3192?cnum_edit=6#comment:2 #2]
 > '''A. Multiple checksums for a same file'''
 > Given the way ZIPs are being built, I suppose that different downloads
 of a ZIP of a given version name could result in different files as the
 actual content of the ZIP, depending on when the ZIP was built and
 downloaded (i.e. what SVN revision it was built at).

 > To reliably check the files on existing WordPress installations would
 mean that we need to have '''all possible checksums''' for any given file
 at a named version, not only the latest for that named version.

 That is what I outlined in Comment:2 above, and as a result, the POC
 although it's in the ZIP generation class, *does not link checksums to a
 ZIP file* - they may by coincidence match, but you cannot assume that
 `plugin.2.0.zip` will have checksums in the `2.0` file (It might be in
 `2.0.1` instead, because the ZIP is named incorrectly).

 > However, I wonder how we can retroactively calculate these multiple
 checksums for all existing versions. Does it make sense to merge all
 revisions that are tagged with a same version, or can some of them be
 excluded through some existing data?

 We could retroactively calculate them, but I don't think we should bother,
 it's not worth anyones time to do so.
 We can create the checksums for previous tagged releases, which will cover
 the vast majority of plugins. Those who made multiple releases on a tag or
 from trunk would only have checksums for the latest version of the files.
 In other words, checksums going forward will be useful, but historical
 checksums for a plugin which had 50 releases from `/trunk/` in 2009 won't
 be (Only the latest release that was made from /trunk/ would be).

 > '''B. Test plugin'''
 > The exploit plugin is great for making sure the calculated hashes are
 correct, but it seems to be very simple and properly versioned. Can we add
 one other plugin, that is known to include as many edge cases as possible?
 A plugin that has multiple released versions with a same named version
 tag, for example, to test the merging of multiple checksums for a same

 Here's another test checksum file, which covers a file being added in a
 later version update, and the main plugin file being updated.
 If you wish, I can add that to the regular generation & provide you commit
 to it to add

 > '''C. Database'''

 We won't be investigating anything regarding this at this time.

Ticket URL: <https://meta.trac.wordpress.org/ticket/3192#comment:7>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org

More information about the wp-meta mailing list